Police have recovered $777,000 stolen in a Business Email Compromise (BEC) scam after the victim sought help quickly - highlighting the importance of reporting cybercrimes to authorities as soon as possible.
As part of Cyber Security Awareness Month, which starts today (1 October, 2024), the AFP-led Joint Policing Cybercrime Coordination Centre (JPC3) is sharing how Australians commonly become victims of BEC scams and how they can protect themselves by setting up multi-factor authentication (MFA) and checking the accuracy of email addresses.
In this highlighted case, cybercriminals created a fake email address with one letter different to the legitimate business email to deceive a South Australian woman into unknowingly sending $813,000 to criminals.
Following an investigation by the JPC3, international law enforcement partners and multiple financial institutions, authorities were able to return $777,000 to the woman earlier this year (March, 2024) - representing about 96 per cent of the funds stolen.
In May, 2023, the woman had notified her bank and police through ReportCyber at cyber.gov.au two days after she had transferred $813,000 to a fraudulent bank account instead of a legitimate conveyancer's account as part of the purchase of a new home.
She was targeted by a BEC, a fraud technique used to deceive victims into unknowingly transferring funds to financial accounts controlled by criminals.
Under the multiagency taskforce Operation DOLOS, JPC3 worked closely with state and territory police and multiple financial institutions to freeze the scammer's fraudulent bank account and retrieve $505,000 of the victim's stolen funds before the money was transferred further.
Police identified that nearly $300,000 of the victim's stolen funds had already been transferred into cryptocurrency via a fraudulent Digital Currency Exchange (DCE) account.
The JPC3 then collaborated with international law enforcement partner, the Pakistani National Response Centre for Cyber Crime (NR3C) and global cryptocurrency exchange Binance, to freeze the fraudulent DCE account and retrieve $272,000 of that $300,000.
The NR3C identified a Pakistani national as a suspected money mule, alleging he opened the account in his name for other criminals to use to launder illicit funds.
The investigation, involving Australian and international law enforcement agencies, into the criminal group behind this fraud is ongoing.
AFP Detective Acting Superintendent Darryl Parrish said BEC scams were increasingly complex and criminals either hacked into, or created near identical, business email accounts to manipulate financial transactions.
"Cybercriminals commonly target businesses and individuals making significant payments, like property transactions, in an attempt to divert victim's funds to a fraudulent account," he said.
"In many cases, cybercriminals gain access to a business' email account, altering banking details and sending the new details to clients who unknowingly transfer funds to criminals.
"Businesses can prevent cybercriminals from accessing their online accounts by setting up multi-factor authentication (MFA) to add an extra layer of security, making it harder for criminals to get in.
"In other cases, like this one, the criminal had created a fake email address that looked like the legitimate business email. It is crucial for people to double-check emails, particularly email addresses and banking details, to avoid becoming victims of BEC scams."
According to the Australian Cyber Security Centre (ACSC), self-reported BEC losses amounted to almost $80 million during 2022-2023. On average, the financial loss from each BEC incident was more than $39,000, impacting both individuals, and small-to-medium businesses. *
Det. A/Supt. Parrish said the case highlighted the global nature of cybercrime, and the importance of offshore and domestic law enforcement partners working closely together to tackle and disrupt scams from every angle.
"While the investigation resulted in a successful outcome for the victim, it took nearly 12 months for her to recover most of the funds, which undoubtedly had an emotional and financial impact on her daily life,' he said.
"This case is an important reminder for everyone that the recovery of funds is complex and, in some situations, not possible, which is why all Australians need to take preventative measures to protect themselves from these manipulative cybercriminals.
"If you are a victim or have suspicions you have been scammed, report it as soon as possible to your bank then to police via cyber.gov.au. This is the best approach for police and banks to stop the transfer and retrieve your money. You can help others protect themselves from similar scams by reporting to Scamwatch."
Binance Investigations Specialist Robert Thomson said the nature of public blockchains, where all transactions were visible and trackable, made it easier to trace and recover funds, but it was important for users to remain vigilant.
"Binance works closely with law enforcement authorities around the world to help users impacted by hacks or theft to get the support they need," Mr Thomson said.
"However, while we invest heavily in our platform security, we strongly urge all users to remain vigilant. Ultimately, users themselves play the largest role in safeguarding their assets, which is why we do our best to continuously educate and inform our users of potential scams. It is critical to stay informed, use strong security practices, and be cautious of potential scams."
Protect yourself from Business Email Compromise (BEC):
- Turn on multi-factor authentication which uses two or more ways to verify a person's identify.
- What you know: PIN or passphrase.
- What you receive: Code sent to you via an authenticator app, text or email; and
- Who you are: Biometrics like a face scan or fingerprint.